Posted
by
Soulskillon Friday November 30, 2012 @03:27PM
from the lesson-learned-always-spy-on-your-kids dept.

nonprofiteer writes "This is a crazy story. An FBI agent put spyware on his kid's school-issued laptop in order to monitor his Internet use. Before returning the laptop to the school, he tried to wipe the program (SpectorSoft's eBlaster) by having FBI agents scrub the computer and by taking it to a computer repair shop to be re-imaged. It somehow survived and began sending him reports a week later about child porn searches. He winds up busting the school principal for child porn despite never getting a warrant, subpoena, etc. The case was a gift-wrapped present, thanks to spyware. A judge says the principal has no 4th Amendment protection because 1. FBI dad originally installed spyware as a private citizen not an officer and 2. he had no reasonable expectation of privacy on a computer he didn't own/obtained by fraud."

I find it far more chilling if the FBI knew exactly what is was doing: lying to the judge about having deleted the spying software to set a precedent for doing this wholesale, using a case where the judge would likely be extremely biased in their favor.

Sounds like the FBI probably did a simple wipe by their IT and never gave it a s3cond thought that this spyware was so durable. The standing that it was OKed is so condtlitional it would never survive a wider scrutiny. In other words: Dumb luck prevails.

Also, the computer was school owned. The game would have been much different if it were private. It's akin to catching the principal doing it on the school's library computers.

The Northern Mariana Islands are a top ten candidate for the farthest habitable point from everywhere else in the world. I'm surprised there was more than one FBI agent on the island, and it's a good bet any one of the top quartile of slashdot's readership would instantly be the most computer literate person on the island were they to move there.
Hanlon's razor is particularly applicable here.

Nope. I've used the software mentioned in the article before, and it would most certainly not survive a proper HD re-image. The computer shop either didn't re-image the HD like they said they did, or the FBI lied about taking it to a computer shop in the first place.

The agent shouldn't have needed to take it to a repair shop in the first place. SpectorSoft's own FAQ section states "eBLASTER... cannot be uninstalled without the eBLASTER password YOU specify..."
Sounds like the guy forgot the password AND the shop didn't do its job.

I should note that I assume the site's instructions are for regular users who don't know how to re-image a drive and that doing so would be enough to remove it. Just googling "removing eblaster" appears to give some rudimentary instructions. I doubt it hides itself that well.

I once bought a computer from a small shop which I intended to use as a linux server. The shop put windows on it as a test and right before they gave it to me told me they would wipe the disk "so I couldn't use their copy of windows". The guy hit enter on some erasure program and immediately said "okay thats done" so obviously it wasn't erased, just unlinked.

Re-imaging is a kind of factory reset, in this case, to what the school's IT department says is a standard load for these kinds of school computers. Which may also be no special load, just reset Windows to a fresh install.

Generally, though, only Windoew+ whatever the school had would be installed. Executables generally would not be preserved -- that's the point of a reimage. And data preservation probably isn't done unless specially requested, which doesn't include installed executables anyway.

In spite of all this and the nasty subject, I'm still not comfortable giving the spying government official the benefit of the doubt rather than the spied-upon citizen. It is hardly shocking to anyone to suggest he may be lying out his ass.

1) dd without a fairly large block size is very slow at copying hundreds of gigabytes of data.

2)/dev/random (on Linux, anyways) only gives as much random data as it can generate from the entropy available to it -- which isn't much./dev/urandom would be much faster (and more than random enough, especially after seven passes.)

Your money is now ours. Pay up.The article and the summary state explicitly which software was used [spectorsoft.com], and its no where near as smart as the the stuff you linked. It only works with windows.

I think you give computer shops WAAAAY too much credit. I worked at one about 6 years back as the lead service tech The guys I worked with wouldn't even have recognized an OS that wasn't Windows XP, let alone understand what dd is or what can be done with it.

Keep in mind this wasn't exactly the computer specialist division of the FBI, considering he had to take it to a computer repair shop to get them to fix it. TFA says he asked his colleagues, without knowing anything more I'd assume they don't work in the "cybercrime" division. So more like it survive cleaning by some random individuals and a probably-incompetent computer repair shop (Geek Squad or similar, they probably thinking knowing how to use regedit makes them computer "experts".) The FBI as an organization was completely uninvolved.

A group operating in the FBI that is supposed to know something about computers is CART - Computer Assist Response Team. Now I happen to know that if you take a computer to someone in CART and want them to do something like this it will certainly happen - in about six months when they have a few moments.

The backlog of high priority prosecutions is that deep.

So, do you think this guy got the full attention of someone within the FBI that knew what they were doing for more than two minutes? I doubt it. I don't care if he is in the FBI - there are lots of people in the FBI and most of them don't count for much when compared against current work that someone is waiting for. Sending people to jail is always more important than fixing some colleague's computer.

...the spyware surviving a cleaning by a computer repair shop and the FBI...

Pretty astounding, when you consider he knew what he installed and it comes with de-install directions [spectorsoft.com].Quoting the FAQ:

Tamper-Proof TechnologyeBLASTER does not show up as an icon, does not appear in the Windows system tray, does not appear in Windows Programs, does not show up in the Windows task list, cannot be uninstalled without the eBLASTER password YOU specify, and eBLASTER does not slow down the operation of the computer it is recording. eBLASTER does not initiate connections to the Internet and will only forward email and send activity reports when the monitored computer is already connected to the Internet. All of these features make it extremely difficult for unauthorized users to locate and/or remove eBLASTER.

Re-imaging the computer from original installation media should have done it, but I suspect that the shop he took it to did not havethat media, or the Certificate and wasn't about to use their own copy, and simply removed the user account.

I can see the FBI not wanting to waste their time and resources on what was his personal project, and sent him to a private shop.Good on them if that's how it went down.

But the guy running that private shop might be open to a civil suit by the principal.

Just because he works for the FBI doesn't mean he is computer literate. The majority of them are nothing more than federally paid beat cops doing missing persons investigations and helping out when other LE can't do the investigation themselves. I think you and others are giving him too much credit because he works for a three letter government agency.

Just because he works for the FBI doesn't mean he is computer literate. The majority of them are nothing more than federally paid beat cops doing missing persons investigations and helping out when other LE can't do the investigation themselves. I think you and others are giving him too much credit because he works for a three letter government agency.

My post suggested that even Joe Sixpack should be able to uninstall what he installed, given that the directions are included withthe product and on the product's web site.

However.....FBI agents are far from beat cops. The requirements state [fbijobs.gov] that you must possess a four-year degree from a college or university accredited by one of the regional or national institutional associations recognized by the United States Secretary of Education. You must have at least three years of professional work experience. Y

Before returning the laptop to the school, he tried to wipe the program (SpectorSoft's eBlaster) by having FBI agents scrub the computer and by taking it to a computer repair shop to be re-imaged. It somehow survived

This kind of incompetence is absolutely baffling to me. Putting SW into a computer that you don't know how to remove? Being unable to remove it by wiping a disk (while working at FBI to boot)? Being unable to pick a repair shop that can actually image disks? Not making an image in the first place before you put something you don't know how to remove? I'm stunned.

I'm trying to wrap my brain around how a principal could be so stupid. It's a public computer that gets passed around. I wouldn't look at *regular* porn on that thing. Nor would I visit a banking web site (yes it's HTTPS, but boot keyloggers exist).

Delete profiles - Control Panel\System and Security\System - Advanced Tab of system properties - User profiles - Settings - list comes up with different user profiles - delete the ones you do not want anymore (gets rid of files in the usual space (desktop/my documents/ etc.) Looks like a clean install with new user accounts.

The government isn't out to get you. They have better things to do. This story is anecdotal and at best a good laugh since some good came from it. Please refrain from making generalized statements about things you know zero about.

Shouldn't the shop that supposedly "re-imaged" it busted for fraud? One also might wonder why an FBI agent is using internal FBI resources to "scrub" a non FBI machine that isn't part of an investigation. Finally, these morons don't know about DBAN???

These programs are malware and spyware and use the same methods to stay on as virii. The difference is they are legit so AV programs do not flag them. It could hide in the boot record as a trojan or hide in a restore point and be later re-installed when a user uses it. My guess is the IT team at the school simple uses restore as a quick and efficient way to wipe it before the student received it.

> We should all see the problem with that last sentence, which I had no idea was true until now.> Especially because we use legitimate software that DOES get flagged

My favorite was trying to bring a copy of clamav (definitions) into our internal lab. I didn't realize the linux desktop build here had a virus scanner installed (I have never installed one on a linux box except to scan incoming file for other environments).

I copied it down to my transfer directory, then I went to copy it into the lab.Perm

DBAN is not foolproof. Just the other day I started it up, and the kernel didn't register my hard drive. Started happily erasing my boot stick, and I never would have realized the difference had I not been paying attention.

He didn't use internal FBI resources, hence the computer repair shop. He asked his friends at the FBI if they knew how to clear the laptop. They didn't, so he took it to the shop. That's hardly using FBI resources (the summary is more than a little misleading).

You've never had a coworker ask you for help with something they can't figure out? It happens all the time around here, had many a non-techie bring in a laptop that needs a little TLC and someone will do it over their lunch or bring it home and do it. In the case of the FBI folks doing this they could even have been using it as a training opportunity for a rookie tech.

Shouldn't the shop that supposedly "re-imaged" it busted for fraud? One also might wonder why an FBI agent is using internal FBI resources to "scrub" a non FBI machine that isn't part of an investigation. Finally, these morons don't know about DBAN???

I've been a Slashdotter for 15 years and I had never heard of DBAN until reading your comment and Googling it. Your other two points are pretty solid, though. What the hell happened?

I work for the FBI, and while I am not familiar with this incident, I'm pretty sure there will be some administrative inquiry into misuse of gov't time & resources, especially since it has made us look bad in the press. I'll have to wait for the next quarterly report on ethic violations (which are always hilarious to read, some people are fucking idiots).

He installed the software himself on his kid's loaner notebook to keep track of his kid's activity (you see, the FBI guy is also some kid's daddy, and he wants to know in case somebody solicits his kid in a chatroom).

Then he asked a buddy at work if he knew how to remove the software before returning the notebook to the school; apparently Joe didn't know, so he brought it to a local computer repair shop and asked them to do it for (his own) cas

Shouldn't the shop that supposedly "re-imaged" it busted for fraud? One also might wonder why an FBI agent is using internal FBI resources to "scrub" a non FBI machine that isn't part of an investigation. Finally, these morons don't know about DBAN???

I've been a Slashdotter for 15 years and I had never heard of DBAN until reading your comment and Googling it.

Yea, but do you run a computer repair shop?

If not, it's fair to assume you've never heard of DBAN; however, if your income is based in an industry for whom re-imaging computers is standard practice, having not heard of DBAN is a nigh unforgivable offense (and a damn good reason to avoid your shop in the future).

They might well understand about DBAN. However, this is what I think happened. The last paragraph is most important.

Something like this is likely as not what happened:

FBI dad is sent to "Saipan in the U.S. territory of the Northern Mariana Islands", an FBI office with three agents and a manager. FBI dad installs spyware on kid's school computer. FBI dad is transferred to new location. He goes to his friends in the local FBI office and asks them to scrub the computer. Either A) there aren't any FBI computer experts in Saipan (quite possible), or the local expert says, "I can wipe it, and I could run the restore software, but there's software on there the school installed that I don't have the disks or licenses for. Take it to a local laptop shop."

FBI Dad takes it to the local shop and says, "I want it restored to what it was like when my kid got it", or "I want you to wipe all my kids info off this laptop", or something similar. They say, "We'll do our best." They have the same problem the FBI expert has. If they DBAN the drive, they could destroy the restore partition, and they won't be able to reinstall the school-installed software. If they run the restore partition, the laptop is like it was before the school got it, and they still won't be able to reinstall the school-installed software. So, they remove all personal data and uninstall all software they think the school didn't install. Maybe they spot the spyware and think it is school installed, maybe they don't spot it, maybe they spot it and try to uninstall it, but instead of uninstalling it hides.

Regardless, they remove what they can without destroying the school-installed software and return it to FBI dad. He returns it to the school. Hilarity ensues.

Slashdot readers read a non-technical report on what happened, written by a non-technical writer, who got his information from non-technical reports made by yet more non-technical people, treats it as if the entire report is completely accurate and all technical terms used correctly, and more hilarity ensues.

Every law enforcement parent will install spyware on his kids' school computers and "forget" to remove the spy software.

Wait for the decision in the case. That will say what will or will not happen.

Given your assumption (which is a good one), law enforcement will suddenly declare that nearly ALL findings of anything related to ANYTHING illegal (child porn, money laundering, pro-terrorist crap, some LE's wife cheating on him, etc) were due to "accidental placement and failed removal" of spyware.

The story enclosed within this one is that (a) the FBI is unable to effectively scrub FBI spyware installed by an FBI agent, and (b) the computer repair shop charged an FBI agent to scrub and reimage a laptop, and then apparently just moved it from the To Do shelf to the Done shelf.

Yes, that or the submitter deliberately misquoted the article:"Auther first took the laptop to his FBI office and asked his colleagues how to wipe it clean. Apparently they don’t have many cyber experts in the Mariana Islands, because they were unsuccessful. So Auther had to instead take it to a computer repair shop, which cleaned out the old files and allegedly reimaged the hard drive to return it to its original settings."

Sounds to me like there wasn't any professional FBI 'scrubbing' involved, just some guy going to work and talking about wiping a laptop by the water cooler.

Most laptops these days have a recovery image on a separate partition of the hard drive. It would not be beyond belief that the spyware the agent used injected itself into the recovery partition so it would re-install itself. My guess is that this particular agent was not a technical expert himself and probably just asked a coworker who was technical what he could use to monitor his child's use of the computer. When he handed the machine off to someone to restore it he may not have told them exactly what he put on it, and if they then used the recovery partition, well... you have this scenario.

> Most laptops these days have a recovery image on a separate partition of the hard drive. It would not be beyond belief that the spyware the agent used injected itself into the recovery partition so it would re-install itself.

Nod. In fact, it would be rather silly for a spyware developer to *not* do this.

I was originally going to post that TFA makes it clear that this was a case of a person who happened to be employed by the FBI, finding himself in this situation, but is just described by TFS as "an FBI agent" — it made me wonder whether someone should be defined by their employer.

It rather broke down for me when TFA starts saying how he got "all flashy with his FBI badge" to investigate, rather than just reporting it to the police — is this really still just someone acting as a father?

Read TFA -- the Judge made a note of this. The initial report that he got was just him as a father: after that what he was doing was basically being an FBI agent. *However* even though he was, the fact that the computer was essentially stolen meant the guy had no expectation of privacy for it. anyways.

If we are to be honest when it comes to application of the law, and we are going to say the laptop, since it belong to a third party that didn't issue it to him, he has no expectation of privacy.... don't we also have to rewind and apply similar tests to his original action?

Did he really have any right to install the software on a machine that was owned by a third party and not issued to him? he was spying on his own kid, and I can see exceptions made for that, but he wasn't doing

It's sort of like an off-duty cop who happens to be in a store when it's robbed and takes action as a police officer. His initial being there is just part of being a citizen. Once the robbery started, he made the shift from citizen to law enforcement as would be expected even though he's off-duty.

So, I wonder what would happen to me if I shot that cop busting down my door as a "private citizen"?

It doesn't matter anyway. When it comes to child porn, taxes, drugs or terrorism, you are guilty until proven innocent. Where are the Ben Franklin dressed Teapartiers? Why aren't they out there preaching their message about freedom over this erosion of our liberties? Or it folks are so afraid

Kicking in a door is illegal as a private citizen and is not something you would expect a private citizen to do. Installing software to monitor his kid's activities is something perfectly legal and well within the realm of what a private citizen might be expected to do. As with many laws, there's a gray area that you have to actually use your brain to determine if something is reasonable or not. There's no slippery slope no matter how much you tilt your head.

Kicking in a door is illegal as a private citizen and is not something you would expect a private citizen to do. Installing software to monitor his kid's activities is something perfectly legal and well within the realm of what a private citizen might be expected to do. As with many laws, there's a gray area that you have to actually use your brain to determine if something is reasonable or not. There's no slippery slope no matter how much you tilt your head.

Slight problem with that explanation - it wasn't his laptop, it was the schools.

It seems the only reason this parent isn't getting a visit from the FBI is because he *is* the FBI. If the guy is installing spyware, he could have remotely installed the porn. The spyware itself could have been the delivery mechanism for all sorts of nasty stuff. He certainly had the means, all he would need is a motive. How do we know the guy didn't have a personal vendetta with the principal? But it doesn't matter... because the principal has already been ruined. Yaaaay! Let's all burn another witch!!

In this case the fact is that the guy was an FBI agent was just a random happenstance. Equipment that he did not own was used for illegal activity. It is like if one was borrowing a school bus to transport drugs on the assumption that no one would suspect a school bus. Does the FBI need permission from you to inspect the school bus owned by the school? I wouldn't think so. If a kid were being raped in a classroom, would the cops need probably cause or the rapist permission to enter? No, it is a school, they can enter. I suppose we would be defending the rapist for shooting a teacher who entered the classroom to see what the commotion is?

I try to be very careful about what I use other's equipment for. When I was younger I was less careful about computers, but then when i was younger there was not 10 years of ruling saying that there is no expectation for privacy if you use employers stuff. For instance, is there anything to stop your employer from listening to your telephone calls on phones the employer owns and pays for the operations. Not really. So we bring cell phones to work that we pay for completely. There is no ambiguity if an employer taps a personal phone.

Stories like this are important because it reminds us that using things we don't own for questionable purposes is not really such a good idea. Clearly older people, who grew up in a time maybe when assets were not tracked as carefully as they are today, or younger people who have not learned how carefully things can be tracked, need to hear this lesson. Clearly some believe that that you can steal equipment, use it for illegal activity, and still deserve the full protection of the law.

I won't lie: any day one of these child porn scumbags is caught is a good day. Even so, the story makes no sense. The FBI doesn't know how to remove Spyware? Any technician worth their salt would run DBAN and that would be the end of it. Yet the FBI went though what sounds like a two step process to wipe this thing, yet failed? I'm not buying it. At the same time though, I have no idea why this guy would have any reason to suspect that the principle would immediately start using his son's laptop upon return, nor any reason to think he was looking at child porn. This story is such a hodgepodge of plausible and impossible... I need a freaking drink.

we're talking about the FBI in Saipan, the U.S. territory of the Northern Mariana Islands. no surprise they wouldn't be cyber experts nor have one, and that the parent would just take a school's laptop to a computer shop for a wipe before returning it to school. not a government computer, not U.S. government concern.

He didn't take it to an FBI technician-- if he did, it'd probably have been cleaned up tight and fast. He took it into his office, where TFA says *they don't have cyber guys*. I.e., he's in some dingy little office without a cyber crimes unit. This doesn't sound implausible at all, the guy's in an FBI office across the Pacific in a US territory, not in Los Angeles.

Then he took it in to a local computer repair shop, and it doesn't at all sound implausible to me that they might have fibbed on just what they did. Instead of re-imagining it, they may have just done a quick scrub of the user settings.

"The FBI" didn't go through a two step process. A guy who is also an FBI agent went through a two step process. Not everything an FBI agent does is with the full force and resources of The FBI.

By your logic, every single nurse where I work should be an IT expert just because we also have an IT department. Oh wait, while they might talk to other nurses in their department about a non-work computer they probably won't bring it to the IT department to look at? How bout that, not everyone in an organization with an IT department happens to work in the IT department.

> by having FBI agents scrub the computer and by taking it> to a computer repair shop to be re-imaged.

wow..... um.... I am really curious as to how it did this. Something smells fishy. I can understand it surviving a "scrub", since anyone who does systems work should know that there are many places in a modern os to hide, and unless you know exactly what it does and how it hides, its impossible to say for sure a system has been cleaned.

However, the pc shop? maybe they didn't really "re-image" it, but instead did their own quick "scrub" and ran something like sysprep?

Otherwise maybe they just did a reinstall from a hidden factory reinstall partition? I could see something hiding up in there but....

I dunno, it seems like it HAS to be something along one of those lines. Aside from that...if it really was incidental...well.... accidents do happen, and sometimes they end up biting the best possible people.

In any case, I think the circumstances do sound fishy, and in no way should what he caught excuse what he did if it wasn't accidental, so there should be serious investigation into that too....but I could see that just turning up technical incompetence rather than malfeasance....

That is, unless it turns up fraud on the part of the PC Repair shop.... very likely they did not do the job they were paid to do.

The "FBI" didn't wipe his computer. He simply asked his co-workers for some help. Apparently neither he nor they were particularly tech-savvy so he took it to a computer shop. He probably asked the shop owner to remove "all of my kid's games and stuff". I imagine that this spyware tries to mask itself so that kids cant just find it and uninstall it. The shop owner probably just uninstalled all of the "games and stuff" and then returned it.

The problem is that a person who was so confused by removing software that he had to go to a "computer shop" is trying to tell you what he did. He didn't get the FBI to clean the machine, he simply asked his co-workers who didn't know either. This also happened in Saipan, not New Jersey. The FBI has a small office, not a high tech lab.

The FBI agent screwed up by not notifying authorities immediately(he tried to solve the case himself), but he was probably concerned that the evidence wouldn't hold up in court. Lucky for everyone, the Judge seems like he was willing to stretch the letter of the law to punish a clearly guilty man.

Everyone seems to be assuming at least one of two things:
1. That the FBI is lying about not knowing how to remove software.
2. That the computer repair shop he took it to lied and didn't do the work.
While both are possible, they aren't the only explanations. First of all, not every member of the FBI is an IT professional. They probably have plenty of tech-illiterate employees in their ranks. I have met a lot of people that are geniuses when it comes to their own trade but are absolutely helpless t

Second, judges throw out such claims in court all the time. The evidence should not have been permisable as the agent should be the one in trouble here for interfering with school property. If any evidence was obtained illegally then it needs to be thrown out.

The main way that rootkits survive a total hard disk format is because they're running at the time - any decent rootkit is more than able to stop a simple format from removing it simply by intercepting any parts of the format which target it, and returning OK signals. They'll usually survive a low level format in the same manner. "Whats that? You want to change one of my bits to 0? Okay.. umm.. Done! *cough*". You can generally reliably remove rootkits by taking the drive out, putting it into an external drive bay (so its not present on a PC while booting), connect the drive when your PC is started up and then format it with none of its code executing.

However, if the FBI or PC store simply formatted it through, say, re-formatting the drive by running the Windows setup disk, then a kernel level rootkit would happily stay in-tact in this manner. In fact, to spot it, you'd really have to use some imaging software with comparison checksums so that after the the imaging it can make sure everything is as it should be. While the rootkit can happily inform that "nothing is there", it can't predict what should be there in an imaged drive, and would be caught out that way.
However - thats not how 99% of us format drives, especially since most don't have MD5d images of other peoples hard disks, or don't put them in external caddies before doing so.:P

The main way that rootkits survive a total hard disk format is because they're running at the time - any decent rootkit is more than able to stop a simple format from removing it simply by intercepting any parts of the format which target it, and returning OK signals. [...] if the FBI or PC store simply formatted it through, say, re-formatting the drive by running the Windows setup disk, then a kernel level rootkit would happily stay in-tact in this manner.

If they used the Windows setup disk to nuke the drive, how did the rootkit get on the DVD? How did the rootkit stay running after a reboot? You're almost on the right track, but BIOS/EFI infection is the answer you're looking for (or HDD firmware). The rootkit has to be running before any OS boots up. Even a boot-sector virus won't survive a disk-wipe, so there had to be a re-infection method.

You can generally reliably remove rootkits by taking the drive out, putting it into an external drive bay (so its not present on a PC while booting), connect the drive when your PC is started up and then format it with none of its code executing.

Why go through that much trouble?

Just stick a bootable optical disk with formatting tools on it in, boot from it, and then format the infected drive. No code from the drive will be running so any rootkit on the drive will be overwritten.

I don't know how the Windows setup disk works, but I find it hard to believe it'd start running the kernel that's on the disk drive that you want to format. Certainly a Linux install disk would work just fine.

Or not every single FBI agent is a computer expert and he just talked with some co-workers in his department rather than having the FBI's IT team take a crack at it. Which is why they would have taken it to an IT shop.